A Virtual Private Network (VPN) uses Service Provider network (SP) as a transport foundation to establish secure network communication links. VPN technology uses SP network to provide the appearance of a private network linking business partners, regional and isolated offices of an enterprise, or other users. A VPN can significantly decrease the cost of providing secure communications among a mobile workforce, and can mimic leased-line private network access. The effects of VPNs on organizations employing them have been dramatic: sales have increased; product development has accelerated; and strategic partnerships have strengthened in ways never before possible. Since access to VPN entry points is generally available locally, VPNs offer a less expensive alternative to dedicated remote access connections.
In general, a VPN is implemented by communicatively coupling a plurality of routers, switches, gateways, and firewalls in one or more local area networks, wide area networks, or internetworks using secure tunneling protocols. End stations such as personal computers, workstations, servers, printers, and IP phones are communicatively coupled to the network devices. Although the internetwork infrastructure is public, the end stations are generally associated with one or more unrelated organizations. To prevent a second organization from receiving and using information transmitted from a first organization, a router at an edge of the first organization's network typically encrypts and specially treats outbound requests. The outbound requests then pass through devices within the network and through any related networks as if they were normal (non-VPN) traffic. Requests can enter a particular destination local area network only if the VPN traffic is associated with that destination network. If not, the request is recognized as outside the VPN and blocked or dropped.
Multiprotocol Label Switching (MPLS)-based VPNs are defined in RFC 2547bis, published by the Internet Engineering Task Force (IETF) L3VPN working group. The RFC defines the use of the BGP interdomain routing protocol for distributing VPN labels. An internal BGP session is established between two edge routers, such as two provider edge routers of a network service provider. Label Distribution Protocol (LDP) is used to distribute MPLS labels to routers and switches in the core of the service provider network. In the edge routers, VPN routing and forwarding (VRF) instances, also termed VRF tables, are derived from the global routing tables which reside in each router. One VRF is assigned to each subscriber connecting to SP network at a particular site. Since there are multiple VRFs and one global routing table, a service provider can offer a VPN service as well as Internet service over the same connection. When traffic arrives on a VPN, the forwarding decision is made according to the associated VRF. Non-VPN traffic is routed using the global routing table.
Network administrators may use router and switch configuration commands to establish MPLS VPN configurations at routers and switches at different times. When a Network Management System (NMS) is used to manage the network, the NMS may not have information specifying which routers and switches were configured with MPLS VPNs before the NMS began operating. Thus, providing techniques for effective discovery of existing MPLS VPN services that are configured in a network is a challenge in the design of an NMS. Managing such networks requires discovery of the MPLS VPN services that have been configured in the past or using other tools, and bringing information about the services into the NMS database. However, past approaches do not provide a solution for this issue.
For example, one prior approach proposes a mechanism that enables a tag-switching router (TSR) to discover potential tag distribution protocol (TDP) peers. To engage in discovery on an interface a TSR periodically sends TDP Link Hello messages out the interface. TDP Link Hellos are sent as UDP packets addressed to the well-known TDP discovery port for the “all routers” group multicast address. Responses to the Link Hello provide TDP peer identifying information. However, significant problems with this approach occur when the TDP peers are in VPNs, because the identifying information may use private addresses that overlap across multiple VPNs of different entities. Thus, the identifying information does not accurately indicate what peers are involved in the VPNs.